Back to skill

Security audit

Monad Development

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent Monad development guide, but it tells agents to persist or disclose blockchain private keys and can broadcast transactions, so it needs user review before use.

Install only if you want an agent assisting with Monad deployments. Use testnet by default, confirm before any mainnet transaction or broadcast, do not store valuable wallet keys in plaintext, prefer a dedicated low-value deployment wallet or secure secret manager, and review any contract verification payload before sending it to external APIs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs agents to persist newly generated wallet private keys to disk or project files without strong guardrails, user consent requirements, or prominent warnings about secret-handling risk. In an agent context, this is dangerous because secrets may be written to insecure locations, leaked via logs, backups, workspace sync, shell history, or accidental source control inclusion.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly tells the agent to save and disclose wallet private-key material in plain language, including informing the user where credentials are stored and suggesting plaintext locations. That creates a direct path to credential compromise and loss of blockchain funds or contract control if the key is exposed through files, transcripts, telemetry, or repository mistakes.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.